Tip

Are Windows Vista security features up to par?

A SearchSecurity.com reader recently asked our platform security expert Michael Cobb, "Do the methods recently discovered to bypass Windows Vista memory protections reflect a lack of security in Vista, or an inability for any operating system to be completely safe?" Below, Michael Cobb explains what may be another question worth asking:

The Windows Vista operating system certainly doesn't lack security. In fact, it has bundles of new security features. When Vista was released, former Microsoft co-president Jim Allchin even told the press that the No. 1 reason for upgrading to Vista is that it's far more secure than previous versions of Windows operating systems.

    Requires Free Membership to View

    Login

Don't miss need-to-know info!

Security pros can't afford to be the last to know. Sign up for email updates from SearchSecurity.com and you'll never be behind the curve!
With Vista, Microsoft has looked to develop a set of layered mitigations to provide defense-in-depth protection -- making it a more secure operating system than its predecessors. New security features include: User Account Control, BitLocker Drive Encryption, Data Execution Prevention, Network Access Protection and Windows Service Hardening, to name a few. So, again, Vista certainly doesn't lack security. Maybe in light of the recent research presented at the Black Hat USA 2008 security conference by Mark Dowd and Alexander Sotirov, the question should be "Is Vista's security up to par?"

Dowd and Sotirov demonstrated techniques to bypass the memory protection safeguards in the Vista operating system by exploiting flaws in a browser application. The demo led to some dramatic headlines about how effective the Vista security upgrade is, particularly as the attacks are not based on any new or specific vulnerabilities in either Internet Explorer or Vista, but instead are a way of defeating the security mechanisms put in place to protect the operating system. Let's look at the attack in a little more detail to see if we can answer the second part of the question regarding an operating system ever being completely safe.

In Windows XP SP2, a set of hardware and software technologies called Data Execution Protection (DEP) was introduced. DEP performs additional checks on memory to help prevent malicious code from running from a non-executable memory region. With DEP enabled, each block of memory in a process must be explicitly marked "executable" before the processor can run any instructions stored in that block. The primary aim of DEP is to prevent an easy exploitation of memory-corruption attacks, such as buffer overflows. Hackers, however, discovered that by passing control not to their own executable code, but instead to one of the system DLLs loaded into the process, DEP protection could be circumvented. In Vista, DEP has been reinforced by the introduction of ASLR, or Address Space Layout Randomization. ASLR loads system files at random addresses in memory to make it harder for malicious code to know where privileged system functions are located.

More from Michael Cobb

A reader recently asked Michael Cobb, "Should open source disk-encryption software be used?"

Learn how to increase security with a decreasing budget.

Have an application or platform securty question for Michael Cobb? Send them now.
What Dowd and Sotirov have shown is different techniques for bypassing DEP and ASLR. One technique is to use a plug-in to fill large amounts of memory with the malicious executable code so the attacker can still be sure that the malicious code is where he or she needs it to be, despite the presence of ASLR. This hole can easily be fixed and is ineffective on a 64-bit system.

In my mind, the primary issue is that Vista's protections are not always "active." To start, not all applications are DEP-compliant. Internet Explorer 7 and Firefox 2 actually opt out of DEP, while many third-party libraries such as the Flash plug-in opt out of ASLR. Java is another problem altogether, as it marks all of its memory as executable, meaning that a Java applet can place into memory executable code that's immune to DEP protection. Also, a large proportion of the software that we run still doesn't use "safe" programming languages, such as Java and .NET, which prevent buffer overflows.

The conclusion I draw from this is that it is virtually impossible to build a completely safe operating system that accommodates literally hundreds of thousands of different programs, scripts, applets, etc., written by many different vendors whose developers may be good or average. Take browser applications, for example. The architecture of browsers means that all code runs in the same process, providing no isolation between different components. This can lead to holes in memory protections and the plug-in architecture. An operating system cannot stop such problems -- research points to ways around ALSR and DEP on all OSes -- but it can make it less likely to execute malicious code.

If you have an OS running on a locked-down box, isolated in a secure room with no network connections, and it is running a single application, then most of today's OSes can be considered secure. But most OSes don't operate in that environment. Security protection in Vista perhaps isn't as comprehensive as was first thought, and is unlikely to ever be unbreakable, but the layers of protection used in Vista are still effective at mitigating many attacks and preventing the exploitation of vulnerabilities in server processes.

About the author:
Michael Cobb, CISSP-ISSAP is the founder and managing director of Cobweb Applications Ltd., a consultancy that offers IT training and support in data security and analysis. He co-authored the book IIS Security and has written numerous technical articles for leading IT publications. Mike is the guest instructor for several SearchSecurity.com Security Schools and, as a SearchSecurity.com site expert, answers user questions on application security and platform security.

This was first published in February 2009

Join the conversationComment

Share
Comments

    Results

    Contribute to the conversation

    All fields are required. Comments will appear at the bottom of the article.

    Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.

    Back to top